720. Thank you so much for coming. We are
deep into our inquiry now. I mentioned to you outside that it
is not normally something that the Defence Committee would do,
but we do not have quite the same institutional loyalties that
perhaps other committees might have and we were left with the
role that needed to be played by Parliament and we are doing it,
so we have looked into this and we are looking at the military,
local authorities, the private sector, the police, ambulance and
fire services, and seeing where they can better be integrated.
There is less attention given to the role of the private sector
but the private sector is critically important. In some ways the
public sector has a lot to give by way of expertise to the private
sector but I strongly suspect that good companies and good operations
in the private sector can give infinitely more advice to the public
sector. You have gone through a number of crises over the years
vis-a"-vis terrorism and, pretty obviously, continuity and
resilience are words used very, very frequently amongst companies
that are truly aware of what is happening. The first thing I wanted
to ask is an all-level question which is how would you define
business continuity and resilience?

(Mr Sharp) If we look at the definition
of business continuity, which can apply to any organisation whether
it is a commercial, not-for-profit or government organisation,
then it is a process by which organisations are able to identify
the incidentsand we use the word "incidents"
rather than "disasters"which can affect the mission
critical processes of an organisation whatever that may be and
having identified those mission critical areas for it to have
in place appropriate plans which are both coherent across the
organisation but, most importantly, rehearsed to deal with any
incident that may occur. The issue we have got here is mission
critical and understanding what is critical for the organisation.
That does not matter, as I said before, whether you are public,
private or government, each has a mission to deliver, and clearly
those are the things that one should protect.

721. The terms continuity and resilience
are often treated interchangeably. Can you clarify it further?
(Mr Sharp) The way I perceive it is that resilience
is one of the things that you build in in order to build continuity
so it is your techniques of ensuring that your organisation can
continue in business. I do not know if you would agree with that?
(Mr Wood) I would not disagree with anything that
John has said. I think it is all about the continuity of our business
operations. The big difference that businesses are starting to
think about with regard to business continuity and planning is
we have shifted away from what was called "disaster recovery"
which is what people were planning for, which is the inevitable
disaster, to how we can sustain our operations, not just in times
of major incident but in times of all sorts of difficultiesso
other factors that might affect us from the outside world or from
the outside community. The other issue that we have changed our
emphasis on is that inevitably historically we have focused on
the survivability of IT systems and we have focused just on information
technology where, in fact, we need to broaden that scope and look
at our knowledge of operations, our business knowledge, our centre
of core processes, and understand how we can build resilience
into that. If we lost all our key knowledge, which is very focused
in our minds post-11 September where businesses lost their entire
management structure and their entire core knowledge of how their
business operations continued, how we can build in resilience
to make sure that we do not suffer that sort of loss. We have
stretched beyond what was originally just a focus on information
technology.

722. How many and what kind of companies
are really into this?
(Mr Sharp) We have recently done a survey supported
by one of the government departments with the Institute of Management
looking at the type of organisations doing continuity. Commercial
organisations are the major drivers. You probably again would
agree that the finance sector is the biggest driver here. The
survey was carried out across 5,000 companies of all sizes and
all types and disciplines. What we found there was that only 45
per cent of those organisations have business continuity in place,
so there are a lot of people who believe they have processes in
place but when you get down to it they have not got proper continuity.
It is concentrated currently in the major financial organisations,
major retail organisations, and coming into some major manufacturers.
It has not percolated down into the small and medium businesses
yet.
(Mr Gamble) We certainly have it in the oil industry.
(Mr Sharp) Indeed we do.

723. What sort of documents should we be
looking at then to have a real flavour or concept of business
continuity and resilience? There must be textbooks. I have been
to a few conferences. If you have time, could you just give us
a flavour. I would certainly love to come along and talk to you
individually on this because I think it is not just a fascinating
but a very relevant subject. Is the expertise you are seeing being
passed on to government departments? Are government departments
equally aware of the threat to their operations as a result of
a major fire or some catastrophic attack?
(Mr Sharp) We started working with the DTI and what
is now the Government Office of Commerce, the CCTA, back in 1999
as a result of the work that was going on to put continuity in
place for the year 2000 in government departments. It was identified
to us that the Cabinet Office would make the assessment of plans
that were going to be presented but there were no effective measures
to evaluate those plans. So we worked with the DTI and the CCTA,
as it was then, and also with the insurance industry to produce
evaluation criteria.. We then went on to produce a guideline for
continuity management, something I submitted by e-mail last night
and which will be in the papers you have. That again has been
supported by government organisations, the CCTA and the DTI, it
tries to encourage a common approach to continuity. What has happened
subsequent to 11 September is that the Government Office of Commerce
issued a guideline for all government departments and agencies
on continuity and that was based on the guidelines that you have
in front of you. I have a copy of that with me.

724. That would be really helpful.
(Mr Sharp) I can get that to you. There is an awareness
and the Civil Contingency Secretariat is beginning to try and
promote it. The Department of Transport, Local Government and
the Regions has recently sponsored some work because of the fuel
crisis. Again it was the same, to try to promote and encourage.
The feedback I get from a meeting I attended at the Civil Contingency
Secretariat is that perhaps government departments are not taking
it as seriously as they should.

725. Can you give us some picture as you
see it of 11 September. Are memories fading, do people think they
are over the worst or was it a real wake-up call to the private
sector?
(Mr Wood) I do not think that people are having fading
memories of it. It has certainly served to heighten the attention
of business management and senior business management that this
is a risk that is more significant than they perhaps perceived
before. It was a huge awakening to the US and to the US community
in general. Indeed, I think it was the first real recognition
that terrorism had hit them in the homeland and it has hurt more
than they ever anticipated. Because of our long history of indigenous
terrorism within the United Kingdom it has been at the forefront
of our minds. This was the very first time that the people have
appreciated that we have a different type of terrorist, willing
to enact his terrorism on our own doorsteps and not worry about
the catastrophe that comes or the loss of life that will follow
and who is also not concerned about their individual, personal
loss of life. So we are seeing a different focus for how terrorism
is being fought and being brought to us. I think it has caused
organisations that have a global structure like ourselves (where
we have representation in many countries) to understand that the
risk is very real and that the risk to us because of our association
with the US or other areas and because of the way in which the
UK has stood as a staunch ally with the US that we are probably
at more risk than some of our European counterparts.

726. Have there been examples in recent
years of companies who have not had disaster recovery plans who
have now been fatally injured as a result of their lack of preparedness?
(Mr Sharp) It is not a terrorism incident butand
this is House of Commons water I seethere was a classic
incident with Perrier

727.Of course.
(Mr Sharp)Who failed to deal with a minor problem
and saw it escalate and the consequences of that. I would also
point you toWoods BNFL and the issues of BNFL and the consequences
of that.
(Mr Gamble) In Japan at the moment Snowbrand, which
has almost gone out of business because of the way it has been
sending out contaminated milk, is another example. If you get
it completely wrong and you do not have the management in place
you can eventually lose your reputation. I suppose in a way Enron
is another example of a failure of management.

Mr Hancock

728. It had nothing to do with management
failures!
(Mr Sharp) And Andersen's as well. But you asked,
Chairman, about whether or not people are still paying attention
to the events following 11 September. Certainly my members because
they are the buyers of insurance are extremely interested because
not a day passes without some insurance company deciding to withdraw
some cover. That goes back to 11 September.

Chairman: We will come on to that. Kevan?

Mr Jones

729. Clearly amongst yourselves there is
a lot of experience in terms of this type of work and I hear what
you have said about having discussions with the government and
the Civil Contingency Secretariat about promoting it in business.
Have they come to you to ask for any assistance or tried to draw
upon the expertise that you or other organisations have got in
this to look at putting in place the review that is currently
going on about preparations post-11 September in United Kingdom
policy?
(Mr Sharp) I was invited to come and talk to the Civil
Contingency Secretariat very early on in their work when they
started business continuity resilience and they have now asked
us to work very closely with them in promoting best practice and
helping them also to focus on how we could improve the resilience,
so that is one area. I would like to come back a little bit later
to address that.

730. That is promotion. Have they asked
you for models that you use to adapt for government use?
(Mr Sharp) The Government have adopted one model already
and issued that, of which the Civil Contingency Secretariat are
aware. The FSA are an interesting body because they have asked
us to give them advice and help. They are encouraging and supporting
us in a group that we have now formed from across the finance
sector to develop good practice guidelines and evaluation criteria.
I use the word "encourage" because our Regulators are
reluctant to endorse and reluctant to actually require, and that
is light-handed regulation.
(Mr Wood) I would echo that issue in terms of we would
as an industry, and certainly within the financial sector, appreciate
a firm set of guidance from the Regulators as to what they are
expecting. These woolly ideas that they think are best practice
against essential practice or good practice and not knowing to
what level they want to assess our preparedness is confusing and
is not good for business. If they articulated clearly what they
are expecting and what they would want to see, we would all be
in a better state of preparedness to look at it. They could judge
us all on an equal footing as to where we are and what we are
going to do.

Chairman

731. Do they have that expertise?
(Mr Sharp) No and they are turning to us to help them
with that expertise.
(Mr Wood) That is fair to say with regard to some
of the regulatory authorities. In fairness, there are elements
of government departments that do have it. I think probably the
defence sector is keen that there is a good understanding and
as a retired serving officer I would echo that that is probably
where I gained a good percentage of my knowledge. But then you
develop it and put it around the business spin and the issues
you need to put into practice in business operations. Certainly
they are used to dealing with incident management, they are used
to dealing with serious problems, and they have got a fair amount
of experience and training from that.

Mr Jones

732. I accept that but that is one department.
(Mr Wood) I agree, it is only one department.

733. For example, let us say 11 September
or something similar happened here and wiped out many Inland Revenue
records or some other department's records.
(Mr Wood) Absolutely.

734. That might bring a sigh of relief!
(Mr Sharp) Is that a recommendation from this Committee!

735. That would create real problems. To
what extent are government prepared for something like that to
put contingencies in place if that were to happen or if some other
main database or collection were affected by an act of terrorism?
(Mr Wood) It is difficult for us to comment on a particular
department because we are not aware what planning is there but
I know again from my previous background when I was instrumental
in looking at national key infrastructures and critical installations
and critical key points and therefore the planning and contingency
work around that sort of activity is done and is prepared and
is thorough and does look in some detail at what is necessary
to keep UK plc going. I think you are correct in saying that the
large institutional parts of government that have these masses
of records do need to think very carefully about how their contingency
plans are and whether they are prepared and, more importantly,
going back to the point John made, they then need to rehearse
them because without rehearsal there is no point in having the
plans in the first place.

736. You are perhaps not aware of the detail
but post-11 September has the Civil Contingency Secretariat asked
you for any help?
(Mr Wood) I have to admit to not even understanding
or knowing what the Civil Contingency Secretariat is about.

737. You are lucky!
(Mr Sharp) They are certainly looking to map out the
critical infrastructures and then they are trying to identify
how resilient that is and they want to publish this infrastructure
map. I have suggested that they should identify the weaknesses
and plug them before they publish it.

738. We are now a few months on. Is that
not quite a fundamental situation in terms of mapping it out?
We do not know what bits, before you publish, need protecting.
I agree with you that it is perhaps best not to publish it until
the plans are in place to protect it. Is that not a fundamental
starting point?
(Mr Sharp) That work has been going on and was going
on before 11 September. It was going on because of the fuel crisis
and then foot and mouth forced it on, but the fuel crisis really
drove it. We think 11 September has serious consequences but the
fuel crisis had far greater consequence for the UK and has driven
many people in departments who were involved in the COBR activities
to focus very clearly on trying to clear up the inconsistencies
and failures of our systems. Coming back to the Inland Revenue,
if you take that and many other government departments they have
outsourced IT processing to the private sector. This morning I
was reading a paper from a serving military officer about the
resilience of the Pay Units and how effective the continuity processes
of the Pay Units were, which have now been outsourced.

739. Was that because the private sector
chose to do it as a matter of course or were they told to do that
by Government?
(Mr Sharp) It comes back down to what is in the contract.
(Mr Wood) It is very much dependent upon how the service
level agreement is put in place and what you are specifying and
whether you are conscious of the fact that we need to specify
it in the first place. That is the issue and I do not think that
has always been the case.
(Mr Sharp) Contracts that are in place do not necessarily
have effective continuity in them.